Any cyberattack is dangerous, but supply chain cyberattacks are especially devastating. These can be any supplier of goods and services, digital or non-digital.
In 2021, we witnessed several supply chain attacks with far-reaching consequences. These are “one-to-many” attacks in which victims can extend far beyond the initial breached company.
EXAMPLES OF RECENT HIGH-PROFILE SUPPLE CHAIN ATTACKS INCLUDE:
- Colonial Pipeline: This major gas pipeline was shut down for nearly a week due to a ransomware attack.
- JBS: The world’s largest supplier of beef and pork products was infected with ransomware, forcing plants in at least three countries to close for several days.
- Kaseya: This software company’s code was infected with ransomware, which quickly spread to IT businesses that used its products, as well as approximately 1,500 of their small business customers.
Why should you be concerned about supply chain attacks even more than in the past? Because they’ve been growing and are expected to keep doing so.
During the first quarter of 2021, supply chain attacks increased by 42 percent. Surprisingly, 97 percent of companies have been impacted by a supply chain breach, with 93 percent experiencing a direct breach as a result of a supply chain security vulnerability.
If you are not properly prepared, you may be impacted by a software breach or have a critical service or goods supplier go down for several days as a result of a cyberattack.
As part of any good business continuity and disaster recovery strategy, consider supply chain risks in light of the current increase in attacks and develop a plan.
HOW CAN YOU MITIGATE YOUR RISK OF LOSSES DUE TO AN ATTACK ON YOUR SUPPLY CHAIN?
IDENTIFY YOUR SUPPLIER RISK
You can’t fix what you don’t know is wrong. So, you need to begin by shedding some light on your risk should one of your vendors get hit with ransomware (the current attack of choice on the supply chain) or another type of breach. Make a list of all your vendors and suppliers, both for goods and services. This includes everything from the cloud services you use to the company that supplies your office products or any raw materials you may use in a product you sell. Review these vendors to identify their cybersecurity risks. This is something you may need some help with from your IT partner. We can work with you to review vendor security or send them a survey to find out where they stand as to their cybersecurity, and then determine how much that may leave you at risk as one of their customers.
CREATE MINIMUM SECURITY REQUIREMENTS FOR DIGITAL VENDORS
Come up with some minimum security requirements that you can use as a benchmark with your vendors. One way to make this easier is to use an existing data privacy standard as your requirement. For example, if a vendor is GDPR compliant, then you know they’ve adopted several important cybersecurity standards that protect their business, and yours, from an attack.
DO AN IT SECURITY ASSESSMENT TO LEARN WHERE YOU’RE VULNERABLE
If the software you use had a vulnerability that was exploited by hackers to take over a system, how much does that leave your systems at risk? Do you have a regular patch application strategy in place to ensure any software updates are applied right away? You should have an IT security assessment done if you haven’t done one in over a year. This will help you identify how strong your systems would be at preventing a breach or ransomware infection that was coming from a digital supply chain vendor.
PUT BACKUP VENDORS IN PLACE WHERE POSSIBLE
If you sell widgets and have a single supplier for one specific part needed for that widget, you’re at a much higher risk of downtime than if you had two suppliers of that part. If a key vendor of yours is attacked and can’t fill orders or provide services for a week or more, how will that impact your business? This is what you want to consider when setting up backup vendors. For example, most companies would consider themselves down and not able to operate without their internet. Having a backup internet service provider can help you avoid lengthy downtime should your main ISP go down. Look at putting this type of safety net in place for all vendors that you can.
ENSURE ALL DATA KEPT IN CLOUD SERVICES IS BACKED UP IN A 3RD PARTY TOOL
Microsoft recommends in its Services Agreement that customers back up their cloud data that is kept in its services (such as Microsoft 365). The policy states, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” You should have a backup (in a separate platform) of all data that you store in cloud services, so you’ll be protected in case of a ransomware infection or other data loss or service loss incident.
SCHEDULE A SUPPLY CHAIN SECURITY ASSESSMENT
Don’t be in the dark about your risk. Schedule a supply chain security assessment to learn where you could be impacted in the case of a cyberattack on a supplier.